diff --git a/server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt b/server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt
index 0e70ff8a..d4602c26 100644
--- a/server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt
+++ b/server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt
@@ -54,6 +54,20 @@ object JavalinSetup {
             }
 
             config.enableCorsForAllOrigins()
+
+            config.accessManager { handler, ctx, _ ->
+                fun credentialsValid(): Boolean {
+                    val (username, password) = ctx.basicAuthCredentials()
+                    return username == serverConfig.basicAuthUsername && password == serverConfig.basicAuthPassword
+                }
+
+                if (serverConfig.basicAuthEnabled && !(ctx.basicAuthCredentialsExist() && credentialsValid())) {
+                    ctx.header("WWW-Authenticate", "Basic")
+                    ctx.status(401).json("Unauthorized")
+                } else {
+                    handler.handle(ctx)
+                }
+            }
         }.events { event ->
             event.serverStarted {
                 if (serverConfig.initialOpenInBrowserEnabled) {
@@ -83,18 +97,6 @@ object JavalinSetup {
             ctx.result(e.message ?: "Internal Server Error")
         }
 
-        app.before { ctx ->
-            fun credentialsValid(): Boolean {
-                val (username, password) = ctx.basicAuthCredentials()
-                return username == serverConfig.basicAuthUsername && password == serverConfig.basicAuthPassword
-            }
-
-            if (serverConfig.basicAuthEnabled && !(ctx.basicAuthCredentialsExist() && credentialsValid())) {
-                ctx.header("WWW-Authenticate", "Basic")
-                ctx.status(401).json("Unauthorized")
-            }
-        }
-
         app.routes {
             path("api/v1/") {
                 GlobalAPI.defineEndpoints()